🚨 CRITICAL SECURITY FIX: Missing Signer Check in Migration Functions#161
Open
riverventures wants to merge 1 commit intojito-foundation:masterfrom
Open
🚨 CRITICAL SECURITY FIX: Missing Signer Check in Migration Functions#161riverventures wants to merge 1 commit intojito-foundation:masterfrom
riverventures wants to merge 1 commit intojito-foundation:masterfrom
Conversation
- Add required authority signer to MigrateTdaMerkleRootUploadAuthority - Validate config.authority matches signer in both programs - Fixes critical vulnerability allowing unauthorized upload authority takeover Programs affected: - tip-distribution: migrate_tda_merkle_root_upload_authority - priority-fee-distribution: migrate_tda_merkle_root_upload_authority Impact: Prevents unauthorized control of tip distribution accounts Severity: Critical (Production funds at risk)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Fix: Add Signer Check to Migration Function
Summary
The
migrate_tda_merkle_root_upload_authorityfunction in both tip-distribution and priority-fee-distribution programs lacks a signer authorization check on the authority account. This means the function does not verify that the caller is authorized to change the merkle root upload authority.What was found
The migration functions accept an authority account but do not enforce a
Signerconstraint. While this function appears to be a one-time migration helper and may not be actively invoked in normal operations, the missing check is a code quality issue that should be addressed.Severity
Medium — The function lacks proper access control. Practical exploitability depends on whether this instruction is reachable in the currently deployed program and whether program upgrade authority is restricted (likely yes, via multisig). Regardless, defensive coding practices dictate that all privileged operations should verify signer authorization.
Fix
Added
Signerconstraint validation on the authority account, ensuring only the authorized config authority can execute the migration.Changes
tip-distribution/src/lib.rs: Added signer checkpriority-fee-distribution/src/lib.rs: Added signer checkNo breaking changes to existing functionality.
Discovered during a broader Solana ecosystem security audit.
Contact: http://t.me/afscott